I am trying to implement web app security. I have a web-app called security running on my tomcat. I am able to implement authentication and authorization,but am not able to implement data confidentiality. The problem that I am running into are listed below:
1) Whenever I try to implement data confidentiality, I get a page cannot be displayed error. But when I comment out the <user-data-constraint> element in web.xml, it works ok. So I am unable to run a secured HTTPS over SSL request.
2) When I do not have <http-method> element, why does it allow access to my servlet...I guess it should not?
3) When I have only POST as the constaint method ie <http-method>POST</http-method>, then the first page that get loaded is the welcome file...the container does not ask for authentication. The welcome file (which in this case happens to be form.html), then does authentication on submit. But if we have <http-method>GET</http-method>, then container authenticates and does not load the welcome page, but loads it only after authentication....Can anybody tell me why this discrepency.
4) I generally type each user with their password and roles in tomcat-user.xml. How to configure this using database such as oracle or mysql. I am sure we do not type this info in tomcat-users.xml in real time app.
My web.xml file looks like this. Kindly tell me what aspect I am overlooking. Hoping for the response on all 4 aspects.
With regard to point 4, you can configure Tomcat to use a JDBC realm, which is an implementation of Tomcat's 'Realm' interface. The default implementation that comes 'out of the box' will read user info from a flat text file (tomcat-users.xml), but a JDBC realm will read from a db of your choice.
Configure it in server.xml as follows:
userTable - the table containing the user info userNameCol - the column name containing usernames userCredCol - the coumn name containing passwords roleNameCol - the column name containing the roles userRoleTable - the table mapping users to roles
Joined: Aug 12, 2005
With regard to the other points, have you configured an SSL connector for Tomcat? Check out